Skip to content

Commit

Permalink
sasl: validate non-empty user/pass/token
Browse files Browse the repository at this point in the history
This avoids sending empty credentials to the user. It is difficult to
validate this up front because all mechanisms are designed for
hot-reloading credentials, but we can validate at the time just before
we connect and issue a request.

Closes #472.
  • Loading branch information
twmb committed Jul 8, 2023
1 parent 76d2e71 commit b5cafba
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 2 deletions.
3 changes: 3 additions & 0 deletions pkg/sasl/oauth/oauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ func (fn oauth) Authenticate(ctx context.Context, _ string) (sasl.Session, []byt
if err != nil {
return nil, nil, err
}
if auth.Token == "" {
return nil, nil, errors.New("OAUTHBEARER token must be non-empty")
}

// We sort extensions for consistency, but it is not required.
type kv struct {
Expand Down
4 changes: 4 additions & 0 deletions pkg/sasl/plain/plain.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package plain

import (
"context"
"errors"

"github.com/twmb/franz-go/pkg/sasl"
)
Expand Down Expand Up @@ -46,6 +47,9 @@ func (fn plain) Authenticate(ctx context.Context, _ string) (sasl.Session, []byt
if err != nil {
return nil, nil, err
}
if auth.User == "" || auth.Pass == "" {
return nil, nil, errors.New("PLAIN user and pass must be non-empty")
}
return session{}, []byte(auth.Zid + "\x00" + auth.User + "\x00" + auth.Pass), nil
}

Expand Down
4 changes: 2 additions & 2 deletions pkg/sasl/sasl.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Package sasl specifies interfaces that any sasl authentication must provide
// Package sasl specifies interfaces that any SASL authentication must provide
// to interop with Kafka SASL.
package sasl

Expand Down Expand Up @@ -32,7 +32,7 @@ type Mechanism interface {
Authenticate(ctx context.Context, host string) (Session, []byte, error)
}

// ClosingMechanism is an optional interface for sasl mechanism's. Implementing
// ClosingMechanism is an optional interface for SASL mechanisms. Implementing
// this interface signals that the mechanism should be closed if it will never
// be used again.
type ClosingMechanism interface {
Expand Down
3 changes: 3 additions & 0 deletions pkg/sasl/scram/scram.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ func (s scram) Authenticate(ctx context.Context, _ string) (sasl.Session, []byte
if err != nil {
return nil, nil, err
}
if auth.User == "" || auth.Pass == "" {
return nil, nil, errors.New(s.name + " user and pass must be non-empty")
}
if len(auth.Nonce) == 0 {
buf := make([]byte, 20)
if _, err = rand.Read(buf); err != nil {
Expand Down

0 comments on commit b5cafba

Please sign in to comment.